libvirt/CVE-2019-3886-remote.patch

commit 9737baf530d80eff19d46a5feb130d3064d47d64
Author: Daniel P. Berrangé <berrange@redhat.com>
Date:   Wed Apr 3 15:00:50 2019 +0100

    remote: enforce ACL write permission for getting guest time & hostname
    
    Getting the guest time and hostname both require use of guest agent
    commands. These must not be allowed for read-only users, so the
    permissions check must validate "write" permission not "read".
    
    Fixes CVE-2019-3886
    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-5.2.0/src/remote/remote_protocol.x
===================================================================
--- libvirt-5.2.0.orig/src/remote/remote_protocol.x
+++ libvirt-5.2.0/src/remote/remote_protocol.x
@@ -5513,7 +5513,7 @@ enum remote_procedure {
 
     /**
      * @generate: both
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
 
@@ -5908,7 +5908,7 @@ enum remote_procedure {
 
     /**
      * @generate: none
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_TIME = 337,
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`commit 9737baf530d80eff19d46a5feb130d3064d47d64`
			`Author: Daniel P. Berrangé <berrange@redhat.com>`
			`Date: Wed Apr 3 15:00:50 2019 +0100`

			`remote: enforce ACL write permission for getting guest time & hostname`

			`Getting the guest time and hostname both require use of guest agent`
			`commands. These must not be allowed for read-only users, so the`
			`permissions check must validate "write" permission not "read".`

			`Fixes CVE-2019-3886`
			`Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>`

			`Index: libvirt-5.2.0/src/remote/remote_protocol.x`
			`===================================================================`
			`--- libvirt-5.2.0.orig/src/remote/remote_protocol.x`
			`+++ libvirt-5.2.0/src/remote/remote_protocol.x`
			`@@ -5513,7 +5513,7 @@ enum remote_procedure {`

			`/**`
			`* @generate: both`
			`- * @acl: domain:read`
			`+ * @acl: domain:write`
			`*/`
			`REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,`

			`@@ -5908,7 +5908,7 @@ enum remote_procedure {`

			`/**`
			`* @generate: none`
			`- * @acl: domain:read`
			`+ * @acl: domain:write`
			`*/`
			`REMOTE_PROC_DOMAIN_GET_TIME = 337,`